View Issue Details

IDProjectCategoryView StatusLast Update
0025362mantisbtapi restpublic2019-07-04 20:43
Reporterpgiraud Assigned To 
PrioritynormalSeverityminorReproducibilityalways
Status acknowledgedResolutionopen 
PlatformPCOSDebianOS Version9
Product Version 
Target VersionFixed in Version 
Summary0025362: API_TOKEN conflicts with basic auth
Description

In my company we use Mantis along with other applications. Our testing infrastructure is behind a ngning proxy with Basic Authentication.

I recently tried to use the Rest API in Mantis. While it works well on our production server, I get rejected with an unauthorized error on the testing instance.

After some digging in the code, it looks like the fact that Mantis relies on the "Authorization" header key is a problem. It conflicts with basic authentification which relies on this key as well. The same header key can't be used twice.

As a temporary workaround, I patched api/rest/restcore/AuthMiddleware.php and replaced HEADER_AUTHORIZATION by 'HTTP_APITOKEN' and I'm requesting the API with --header 'APITOKEN:xxxxxxx'.

I would suggest the following changes in the code :

  • look for an 'HTTP_APITOKEN' header,
  • if not empty, compare with available tokens,
  • if empty, look for an 'HTTP_AUTHORIZATION' header,
  • if empty or starts with 'Basic', don't take into account,
  • else compare with available tokens (in order not to break existing apps).

If it sounds good I can provide a PR.

Steps To Reproduce

If you run apache, I think this can easily be reproduced using apache and an .htaccess file.

TagsNo tags attached.

Activities

l2m

l2m

2019-07-03 11:28

reporter   ~0062350

Last edited: 2019-07-04 20:31

View 2 revisions

Hi,
I had the same problem because we needed to send two Authentication headers (one for the http server and the token for Mantis).
In api/rest/restcore/AuthMiddleware.php, the getHeaderLine($name) method is used. The documentation page states that "You may also fetch a comma-separated string with all values for a given header" (see http://www.slimframework.com/docs/v3/objects/request.html).
I've tested a workaround by splitting the value and it seems to work.
The getHeader($name) method could be used and we could test each value of the returned array to see if it matches a token.
Code example :

$t_authorization_header_array = $request->getHeader( HEADER_AUTHORIZATION );
foreach ($t_authorization_header_array as $value) {
    $t_user_id = api_token_get_user($value);
    if( $t_user_id === false ) {
        //continue;
    } else {
        $t_authorization_header =  $value
        break;
    }
}

if( $t_user_id === false ) {
        return $response->withStatus( HTTP_STATUS_FORBIDDEN, 'API token not found' );
}
vboctor

vboctor

2019-07-04 20:35

manager   ~0062358

I'm leaning towards handling multiple authorization headers with same name if that works for @pgiraud

PRs are welcome.

Issue History

Date Modified Username Field Change
2019-01-21 03:09 pgiraud New Issue
2019-07-03 11:28 l2m Note Added: 0062350
2019-07-04 20:22 vboctor Assigned To => vboctor
2019-07-04 20:22 vboctor Status new => assigned
2019-07-04 20:31 vboctor Note Edited: 0062350 View Revisions
2019-07-04 20:35 vboctor Note Added: 0062358
2019-07-04 20:43 vboctor Assigned To vboctor =>
2019-07-04 20:43 vboctor Status assigned => acknowledged